ping out working, ping in shows up on bridge but not target device

I'm able to use novnc into my cirros instance, and I can ping/ssh out of the instance. However I'm unable to ping/ssh into the instance. I've been able to find that the pings are not forwarded from egress VM bridge to the eggress VM interface. Does anyone have ideas for the next step in figuring out why the packet isn't forwarded from the VM's bridge to it's interface?

I used the tcpdump suggestions from the operations guide to see that ingress pings get to the bridge for the VM but do not show up on the interface. (obviously I can see the pings on both the bridge and the interface for egress pings).

1 answer

Answering my own question here.
After looking at OpenStack Networking Administration Guide (bk-quantum-admin-guide-grizzly.pdf) Chapter 5 (Under the Hood). I found the tap device is the place Quantum implements the security profiles using iptables. Actually, the diagrams and explanations in that section were quite good.

The root cause of my issue appears to be that the security profile is not being configured for my VM. However I was able to enable forwarding of ICMP traffic by finding the chain associated with my tap device by looking at --physdev-in rules and adding an ACCEPT rule for ICMP at the top of the chain. This allowed pings to work but tells me that the metadata for security group is not being setup correctly. I used the following command to enable ping for debug.